Bug 710372
Summary: | Not able to open the Manage Certificate from DS-console | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Directory Server | Reporter: | Amita Sharma <amsharma> | ||||||
Component: | Directory Console | Assignee: | Rich Megginson <rmeggins> | ||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Viktor Ashirov <vashirov> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | high | ||||||||
Version: | 8.2 | CC: | amsharma, jgalipea, nkinder | ||||||
Target Milestone: | --- | Keywords: | Reopened | ||||||
Target Release: | --- | Flags: | rmeggins:
needinfo+
|
||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2016-05-06 14:32:41 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 717730, 717738 | ||||||||
Bug Blocks: | 434915 | ||||||||
Attachments: |
|
Can you attach the /var/log/dirsrv/admin-serv/error from the errors log? yeah, Sure Rich, Here it is : [Fri Jun 03 13:42:35 2011] [notice] Access Host filter is: *.pnq.redhat.com [Fri Jun 03 13:42:35 2011] [notice] Access Address filter is: * [Fri Jun 03 13:42:38 2011] [notice] [client 10.65.201.218] admserv_host_ip_check: ap_get_remote_host could not resolve 10.65.201.218 [Fri Jun 03 13:44:29 2011] [notice] [client 10.65.201.218] admserv_host_ip_check: ap_get_remote_host could not resolve 10.65.201.218 [Fri Jun 03 13:44:54 2011] [notice] [client 10.65.201.218] admserv_host_ip_check: ap_get_remote_host could not resolve 10.65.201.218 [Fri Jun 03 13:45:33 2011] [notice] [client 10.65.201.218] admserv_host_ip_check: ap_get_remote_host could not resolve 10.65.201.218 [Fri Jun 03 13:46:26 2011] [notice] caught SIGTERM, shutting down [Fri Jun 03 13:46:27 2011] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0 [Fri Jun 03 13:46:28 2011] [crit] populate_tasks_from_server(): Unable to search [cn=admin-serv-testvm,cn=389 Administration Server,cn=Server Group,cn=testvm.pnq.redhat.com,ou=pnq.redhat.com,o=NetscapeRoot] for LDAPConnection [testvm.pnq.redhat.com:389] [Fri Jun 03 13:46:28 2011] [notice] Access Host filter is: *.pnq.redhat.com [Fri Jun 03 13:46:28 2011] [notice] Access Address filter is: * [Fri Jun 03 13:46:29 2011] [notice] Apache/2.2.15 (Unix) configured -- resuming normal operations [Fri Jun 03 13:46:29 2011] [crit] populate_tasks_from_server(): Unable to search [cn=admin-serv-testvm,cn=389 Administration Server,cn=Server Group,cn=testvm.pnq.redhat.com,ou=pnq.redhat.com,o=NetscapeRoot] for LDAPConnection [testvm.pnq.redhat.com:389] [Fri Jun 03 13:46:29 2011] [notice] Access Host filter is: *.pnq.redhat.com [Fri Jun 03 13:46:29 2011] [notice] Access Address filter is: * [Fri Jun 03 13:46:39 2011] [notice] [client 10.65.201.218] admserv_host_ip_check: ap_get_remote_host could not resolve 10.65.201.218 Can you post the directory server access log from /var/log/dirsrv/slapd-testvm/access? I'd like to see what is happening in the directory server from around the time of [Fri Jun 03 13:46:28 2011] [crit] populate_tasks_from_server(): Unable to search [cn=admin-serv-testvm,cn=389 Administration Server,cn=Server Group,cn=testvm.pnq.redhat.com,ou=pnq.redhat.com,o=NetscapeRoot] for LDAPConnection [testvm.pnq.redhat.com:389] and [Fri Jun 03 13:46:29 2011] [crit] populate_tasks_from_server(): Unable to search [cn=admin-serv-testvm,cn=389 Administration Server,cn=Server Group,cn=testvm.pnq.redhat.com,ou=pnq.redhat.com,o=NetscapeRoot] for LDAPConnection [testvm.pnq.redhat.com:389] [03/Jun/2011:13:46:00 +051800] conn=1 op=80 SRCH base="cn=replica,cn=dc\3Dtestsuff\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL [03/Jun/2011:13:46:00 +051800] conn=1 op=80 RESULT err=32 tag=101 nentries=0 etime=0 [03/Jun/2011:13:46:00 +051800] conn=1 op=81 SRCH base="cn=replica,cn=dc\3Dtestsuff\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL [03/Jun/2011:13:46:00 +051800] conn=1 op=81 RESULT err=32 tag=101 nentries=0 etime=0 [03/Jun/2011:13:46:00 +051800] conn=1 op=82 SRCH base="cn=replication,cn=config" scope=2 filter="(objectClass=*)" attrs=ALL [03/Jun/2011:13:46:00 +051800] conn=1 op=82 RESULT err=0 tag=101 nentries=1 etime=0 [03/Jun/2011:13:46:00 +051800] conn=1 op=83 SRCH base="cn=replica,cn=dc\3Dtestsuff\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL [03/Jun/2011:13:46:00 +051800] conn=1 op=83 RESULT err=32 tag=101 nentries=0 etime=0 [03/Jun/2011:13:46:01 +051800] conn=1 op=84 SRCH base="cn=replica,cn=dc\3Dtestami\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL [03/Jun/2011:13:46:01 +051800] conn=1 op=84 RESULT err=32 tag=101 nentries=0 etime=0 [03/Jun/2011:13:46:01 +051800] conn=1 op=85 SRCH base="cn=replica,cn=dc\3Dtestami\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL [03/Jun/2011:13:46:01 +051800] conn=1 op=85 RESULT err=32 tag=101 nentries=0 etime=0 [03/Jun/2011:13:46:01 +051800] conn=1 op=86 SRCH base="cn=replica,cn=dc\3Dtestami\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL [03/Jun/2011:13:46:01 +051800] conn=1 op=86 RESULT err=32 tag=101 nentries=0 etime=0 [03/Jun/2011:13:46:01 +051800] conn=1 op=87 SRCH base="cn=replica,cn=dc\3Dtestami\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL [03/Jun/2011:13:46:01 +051800] conn=1 op=87 RESULT err=32 tag=101 nentries=0 etime=0 [03/Jun/2011:13:46:01 +051800] conn=1 op=88 SRCH base="cn=replica,cn=dc\3Dtestami\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL [03/Jun/2011:13:46:01 +051800] conn=1 op=88 RESULT err=32 tag=101 nentries=0 etime=0 [03/Jun/2011:13:46:01 +051800] conn=1 op=89 SRCH base="cn=replication,cn=config" scope=2 filter="(objectClass=*)" attrs=ALL [03/Jun/2011:13:46:01 +051800] conn=1 op=89 RESULT err=0 tag=101 nentries=1 etime=0 [03/Jun/2011:13:46:01 +051800] conn=1 op=90 SRCH base="cn=replica,cn=dc\3Dtestami\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL [03/Jun/2011:13:46:02 +051800] conn=1 op=90 RESULT err=32 tag=101 nentries=0 etime=1 [03/Jun/2011:13:46:02 +051800] conn=1 op=91 SRCH base="cn=replica,cn=dc\3Dtestnew\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL [03/Jun/2011:13:46:02 +051800] conn=1 op=91 RESULT err=32 tag=101 nentries=0 etime=0 [03/Jun/2011:13:46:02 +051800] conn=1 op=92 SRCH base="cn=replica,cn=dc\3Dtestnew\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL [03/Jun/2011:13:46:03 +051800] conn=1 op=92 RESULT err=32 tag=101 nentries=0 etime=1 7971,14 91% I tried and it opens fine for me. The place I tried is under "Tasks" tab in DS-console. The build is on RHEL 6.1 32bit [i386.a yi@dhcp-118 /dstet/testcases/DS/6.0] rpm -qa | grep console 389-ds-console-1.2.5-1.el6.noarch 389-console-1.1.4-1.el6.noarch idm-console-framework-1.1.7-1.el6.noarch 389-admin-console-1.1.7-1.el6.noarch [i386.a yi@dhcp-118 /dstet/testcases/DS/6.0] rpm -qa | grep ds-base 389-ds-base-libs-1.2.8.2-1.el6.i686 389-ds-base-1.2.8.2-1.el6.i686 Can we mark this as closed notabug? Is this problem reproducible, or can it be closed? This can not be reproduced on the current release. If it is found again, please reopen with reproducible steps. Created attachment 510505 [details]
0001-Bug-710372-Not-able-to-open-the-Manage-Certificate-f.patch
Comment on attachment 510505 [details]
0001-Bug-710372-Not-able-to-open-the-Manage-Certificate-f.patch
Looks good!
I'm just curious... Originally, NSS_Shutdown failure was causing the problem. It looks SSL/NSS APIs are all terse and log nothing even if any of them fails... Could it be possible to report something if something wrong happens? Or not necessary?
(In reply to comment #12) > Comment on attachment 510505 [details] > 0001-Bug-710372-Not-able-to-open-the-Manage-Certificate-f.patch > > Looks good! > I'm just curious... Originally, NSS_Shutdown failure was causing the problem. > It looks SSL/NSS APIs are all terse and log nothing even if any of them > fails... Could it be possible to report something if something wrong happens? > Or not necessary? Yes. We should report a failure from NSS_Shutdown. We don't even check the return value now. To ssh://git.fedorahosted.org/git/389/admin.git 49799b2..814b7ec master -> master commit 814b7ecc9e245171a9abfcc17be8b9aa1f3fd047 Author: Rich Megginson <rmeggins> Date: Tue Jun 28 17:34:45 2011 -0600 Reviewed by: nkinder (Thanks!) Branch: master Fix Description: NSS_Initialize fails to open the cert db for the specified directory server because NSS_Shutdown failed. That failed because of a memory leak in openldap using moznss: http://www.openldap.org/its/index.cgi?findid=6980 and https://bugzilla.redhat.com/show_bug.cgi?id=717730 The workaround is to use a new NSS InitContext to open the key/cert db. Platforms tested: RHEL6 x86_64 Flag Day: no Doc impact: no For now I am following : 1. Setenforce 1 2. Try to open the manage certificate console window 3. It is opening fine. Hence marking bug as VERIFIED. This seems to have been resolved as per instructions in: bug #712491 |
Created attachment 502755 [details] Error Description of problem: Not able to open the Manage Certificate from DS-console Steps to Reproduce: 1. Trying to open manage Certificate from 389-console, giving error as PFA. Logs: [root@testvm ~]# tail -f /var/log/dirsrv/slapd-testvm/errors [03/Jun/2011:13:46:20 +051800] - 389-Directory/1.2.8.3 B2011.123.1759 starting up [03/Jun/2011:13:46:20 +051800] NSMMReplicationPlugin - changelog program - _cl5AppInit: fetched backend dbEnv (1216210) [03/Jun/2011:13:46:20 +051800] NSMMReplicationPlugin - changelog program - _cl5DBOpen: opened 0 existing databases in /var/lib/dirsrv/slapd-testvm/changelogdb [03/Jun/2011:13:46:20 +051800] NSMMReplicationPlugin - agmtlist_config_init: found 0 replication agreements in DIT [03/Jun/2011:13:46:20 +051800] NSMMReplicationPlugin - changelog program - _cl5GetDBFile: no DB object found for database /var/lib/dirsrv/slapd-testvm/changelogdb/c2c0f682-7ada11e0-9f92b85c-b3c05de4_4dde02460000000b0000.db4 [03/Jun/2011:13:46:20 +051800] NSMMReplicationPlugin - changelog program - cl5GetUpperBoundRUV: could not find DB object for replica [03/Jun/2011:13:46:20 +051800] - slapd started. Listening on All Interfaces port 389 for LDAP requests [03/Jun/2011:13:46:20 +051800] - Listening on All Interfaces port 636 for LDAPS requests [03/Jun/2011:13:46:40 +051800] NSMMReplicationPlugin - changelog program - _cl5GetDBFile: no DB object found for database /var/lib/dirsrv/slapd-testvm/changelogdb/c2c0f682-7ada11e0-9f92b85c-b3c05de4_4dde02460000000b0000.db4 [03/Jun/2011:13:46:40 +051800] NSMMReplicationPlugin - changelog program - cl5GetOperationCount: could not get DB object for replica ^C [root@testvm ~]# tail -f /var/log/dirsrv/slapd-testvm/access [03/Jun/2011:13:46:39 +051800] conn=10 fd=66 slot=66 SSL connection from 10.65.201.218 to 10.65.201.218 [03/Jun/2011:13:46:39 +051800] conn=9 op=2 UNBIND [03/Jun/2011:13:46:39 +051800] conn=9 op=2 fd=68 closed - U1 [03/Jun/2011:13:46:39 +051800] conn=10 SSL 256-bit AES [03/Jun/2011:13:46:40 +051800] conn=10 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [03/Jun/2011:13:46:40 +051800] conn=10 op=0 RESULT err=0 tag=97 nentries=0 etime=1 dn="cn=directory manager" [03/Jun/2011:13:46:40 +051800] conn=10 op=1 SRCH base="cn=config" scope=2 filter="(objectClass=*)" attrs=ALL [03/Jun/2011:13:46:40 +051800] conn=10 op=1 RESULT err=0 tag=101 nentries=482 etime=0 [03/Jun/2011:13:46:40 +051800] conn=10 op=2 UNBIND [03/Jun/2011:13:46:40 +051800] conn=10 op=2 fd=66 closed - U1